Long time ago Sourceforge and then GitHub promoted into the current default the model of open source distribution which is not sustainable and I doubt it is something that the founding fathers of Free Software/Open Source had in mind. Open source licenses are about freedom of using and modifying software. The movement grew out of frustration that commercial software cannot be freely improved and fixed by the user to better fit the user's needs. To create Free software, you ship sources together with your binaries and one of the OSI-approved licenses, that is all. The currently default model of having an open issue tracker, accepting third party pull requests, doing code reviews, providing support by email or chat, timely security patches etc, has nothing to do with open source and is not sustainable. This is OK if it is done for a hobby project as long as the author is having fun doing this work, but as soon as the software is used for commercial, production critical systems, the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane. This is software support, it is a job, it should be paid.
Years ago, I built what I thought was a pretty basic static site generator using HapiJS. I was using it for personal projects and after some convincing by friends, put it up on Github. My friends went on Reddit and posted it and then told me about it afterwards.
It initially got some decent traction and then all of a sudden, all the pull requests came, all the feature requests and then all the bug reports.
I kept telling people this was a side project, if they want to fork it go ahead, but this is not something I'm going to spend a ton of time on. Then all the hate started about how I put something out into the OSS community with no desire to support it. I was bad person, my code was shit and I should stop being a developer.
That was my first and last OSS project.
I applaud and respect the people who are committed to getting OSS out there, but for me, it was a horrible experience.
Bitching is free and easier than making pull requests. And I bet it was 1 or 2 choads plus a variable pack of minions, not everyone. And Megacorp X can file all the bug reports they want, their lack of investment is not my urgency.
In general, there is a difference of ethos and culture between Free Software and Open Source movements. GitHub is the latter: strewn with expectations from low-effort requests.
With free software, many projects have their own code hosting with separate accounts, sometimes even separate bug trackers with another set of accounts (think Bugzilla + GitLab). Any submission is by definition bigger effort, and thus the culture is significantly different.
As an example, just try submitting a patch to GNU libc (if it hasn't switched to GitHub in the intervening years, though I'd be surprised as it's a GNU project, but it's also largely supported by Red Hat), and see where you get to. Or join the GNOME community and submit a fix. Or FreeDesktop. Or KDE. Or...
If you allow me to go on a meandering tangent/exploration:
___
I mean if you think about it, this outcome is more or less inevitable, given the environment we've created.
The foundational building block being that people will always optimize for their own benefit and personal gain. They fundamentally have to, because no one else will.
So that gives us a natural source of conflict, because not everyone is a builder (or at least not everyone believes that they would), meaning that they need to get someone else to do what they want to get done.
You as a builder of course operate no different to that. You also want to optimize for your own personal gain.
Where it is different though is that you do not rely that much on external resources to do that, given that you can create by your own.
So these are our building blocks.
To have a functioning societal system, we do want and need to allow people that don't to receive a decent-ish slice of the output of those that create for various reasons.
Something something shared humanity, but also the fact that a society built out of autonomous builders quickly collapses. Plus multi-dimensionality, meaning that person A might be a builder in discipline X, but needs others to sustain themself in discipline Y. Society and all. Shared workload.
The mechanism that regulates the flow of resources between these agents is friction.
For example, social shaming for not sharing the fair part of what you're earning is friction. That is a constant eroding force and cost that is supposed to shift your internal mental calculus to make contributing to society the most sensible outcome.
Equally so, the act of being protective of your time, demanding respect, boundaries and fair compensation is friction that is supposed to shift someone else's mental calculus to make fair treatment of you the most sensible outcome.
____
Okay, many words, but what the fuck am I on about?
Here's where this self-regulating system implodes:
In the last two decades or so, we have absolutely supercharged the mechanism of shaming and public pressure (rel: Twitter).
Simultaneously though, we've also _vastly_ nerfed any forms of friction a builder might employ. (rel: GitHub as the default, being "nice and professional" as the default, etc.)
And that is what simply is not working.
But we're not talking about that properly, because any platforms we currently have for talking about stuff are absolutely and utterly dominated by those that do not create; meaning that they get to dictate the rules.
In a very unsustainable way of course (see also collapse of democracy in general) but that is still the reality we find us in.
___
And that is _I think_ also where we can find solutions to these problems.
Don't get me wrong, I'm not proposing to return to linus and tell people that they should be retroactively aborted for having made a mistake.
There were many very important advancements we made culturally to push out toxicity.
We will need to reintroduce friction though.
Likewise, we will need re-engineer our communication spaces to shift the balance of power back to a sustainable equilibrium.
Which doesn't mean "cold uncaring meritocracy" (also, what even is merit?) but it will mean not handing out ever-larger megaphones based on who is already screaming the loudest.
___
Anyway, TL;DR:
It's the system, stupid. It is like this, because it can't be any else given the currently governing rules.
I've often dreamed of a system where normal users, give money as a promotion for a certain issue to be fixed or even created, if the user wants feature X then he should be able to give an incentive towards that feature to be added into the software that they use, developers do bounties instead, the user doesn't have to give much only a dollar, but if many users want feature X, then the money/donations pool creating higher incentives until the task itself matches the level of work to be performed to achieve it until merged.
The project managers also get a cut of all merges, testers also must approve of the merge and that feature X is the one they want. So the project manager gets to work and improve/reject features, the user gets control over the features of the project they want and developers get to pick specific features they would like to work on (sort of). everybody gets what they want (sort of). All via attaching $ to the issues of the software, not the people.
All we need to do is create Kalshi contracts! Users bet that a fix won't be created for Issue 123 by date XYZ, developers take the other side of the contract and then do the best kind of insider trading: changing the facts on the ground. We did it!
> I've often dreamed of a system where normal users, give money as a promotion for a certain issue to be fixed or even created, if the user wants feature X then he should be able to give an incentive towards that feature to be added into the software that they use, developers do bounties instead, the user doesn't have to give much only a dollar, but if many users want feature X, then the money/donations pool creating higher incentives until the task itself matches the level of work to be performed to achieve it until merged.
Have a bot on GitHub that nags people about the pool of committed money towards each feature, to show that they care about it - with the money being placed into an escrow and being released once the feature is implemented and merged, or until a date is reached with no merge and it's given back to everyone / or when the request is closed with no changes. Ofc no idea how you'd validate each individual issue well enough to prevent someone from misusing it, but one could feasibly create such a system, even if it'd probably get a lot of opposition from everyone.
> I've often dreamed of a system where normal users, give money as a promotion for a certain issue to be fixed or even created
It might be good to have such a system as an option, but I wouldn't want it to become an expectation. I've got a couple of side projects that are out on GitHub. They have open source licenses and anyone is welcome to fork them, send bug reports, or pull requests, but I don't want to have any obligation of supporting those projects.
That's actually how a number of OSS projects work, we'll give you what we want for free but if you want us to do what you want you'll need to pay us. Having to implement a compatibility mechanism for some company's buggy train wreck from 20 years ago is a lot easier when you know you'll get paid at the end of it. A number of OSS dual licenses have been created to accommodate this.
You know what would be nice? For these billionaires to start sponsoring people instead of sitting on the obscene heaps of money they have—a patronage system. Everyone wins.
Are there any projects that have achieved anything close to this? I'm not against it in principle, but it seems like it ends up incurring issues from tiptoeing around wanting all the benefits of an incorporated business with employees or at least contractors without the stigma(?) of getting all official and putting someone in the hot seat of responsibility. Off the top of my head:
- A business has some intrinsic motivation however minuscule to fix unsexy issues like security problems or problems that aren't as visible to customers so they don't get hacked and sued and go under; in a pay-what-you-want bounty scheme all of your users are playing chicken to not be the one to put up the money for the fix. Instead they'll wait until it becomes a problem and fix it in their own branch; no reason to bother upstreaming it until someone comes forward putting up the money.
- IMO there's no way to measure cuts for something like this that can't be gamed. If you close out the bountied issue, but you make use of a bunch of utility code I contributed last week, who gets it? Or if the code I contributed is mostly a mechanical refactor of some very complex code someone else wrote? Do we divvy it up by lines of code, number of commits, etc, and that's just for the squint-and-it's-qualifiable metrics for engineers. No idea how you'd measure a cut for project managers. Someone also may be the steward of the repository and handle administrative work but not do a whole lot of feature-fixing, what cut do they get? Instead of juggling KPIs you can just pay all these people for their common contribution - time - and then you're back at something that businesses do really well.
- For any bounty system to work you need somewhere to track the bounties and hold money in escrow for payouts. Those services exist, they cost money to run, and they are going to take a cut. I'd assume they'd also invest and grow that money while they have it unless that's illegal for some reason I'm not aware of. An incorporated business keeps its bounties in the issue tracker, and its money in an account that accumulates interest that can go toward further development on the actual product instead of third-party support services. Crypto is a no-go here because that limits your contributor pool to exclusively crypto perverts, otherwise normal people have to speculate on it and convert it to normal useful money for a fee.
- I've worked at a place where the devs got to work on whatever they wanted. Required to, really, because there was very little interest or hands-on management from the owner in the direction of the product as long as sales were stable. We had a great time and got paid and we all learned a lot on company time and last I checked they are no longer in business.
- Timelines are a big factor too. If some open-source software I'm using is missing a big feature I'd like (and if post-2024, it's too substantial to just make a copy and have Copilot customize it for my use) I'm still not going to kick in the first $10 in the hopes that somebody someday builds that feature for me. I'm going to be dead or not using the software by then. If I thought the feature I wanted was worth $10,000 and I had $10,000 to kick towards it in the hopes that somebody somewhere would decide to build it, I would instead hire somebody on contract terms to do the work with a greater guarantee of results and some recourse if they screw me.
Those normal users are better off instead purchasing software. Then they will be listened to by developers if they report a bug or suggest a feature. Because they represent an incredibly valuable user segment: paying customers.
> I doubt it is something that the founding fathers of Free Software/Open Source had in mind.
Free Software sure, that wasn't the point.
Open Source, that was exactly the point. Eric S Raymond, one of the original promoters of the concept of Open Source coined Linus' Law:
Given enough eyeballs, all bugs are shallow
Which definitely points in the direction of receiving bug reports and patches from users of the application. He was also a proponent of the Bazaar model, where software is developed in public, as opposed to the Cathedral model where software is only released in milestones (he used GCC and Emacs as examples, which reinforces the part of your statement about the Free Software movement in particular).
ESR is also from a time where spamming countless reports/junk code wasn't really a concept.
They did have things like trolls and zealots that thought "Their one idea" was a gift from god and the maintainers were idiots for not adding it to the application. And eventually those people may have been banned from mailing lists. But in general the people posting code were typically well known and had some interest in fixing the application for some useful purpose.
Simply put, no idealism stands the test of time without change. Nature shows us that everything must evolve or it goes extinct. How 'free software' evolves is now up for debate.
Linus’ Law doesn’t really imply anything about maintainers behavior though. As an example, you can imagine maintainers that never update their repos. Every bug fix is a forking of the repo, and people only use the repo with the latest commits. Eventually, the bug count goes down as well!
I don’t agree with this newer idea that has arisen that FOSS authors are “victims.”
It’s up to you to set boundaries (or prices) and communicate them, like an adult. If one is still rude and entitled then ban them from the repo, or let people fork, but not before looking in the mirror first and reflecting at your own behavior.
(I’m trying to imagine folks painting xfree86 maintainers as victims back in the day when xorg forked them for intransigence. The point is disagreements happen, deal with them.)
Afaict github allows you to disable 'Issues' per repo, yet few do. I presume that means they are okay engaging with issues on some level, but I find it odd almost none post a policy/expectations around them.
> I’m trying to imagine folks painting xfree86 maintainers as victims back in the day when xorg forked them for intransigence. The point is disagreements happen, deal with them.
... Did they try anything as petty as the xorg maintainers are nowadays?
Sourceforge is almost 30 years old. GitHub almost 20.
How long does something have to be done a certain way for it to be "to do with"?
I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.
That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.
I partially disagree. It does have to do with open source: Github (et al) are about creating a community around an open source project. It's hard to get adoption without a community; it gives you valid bug reports, use cases you didn't think of, and patches.
You can, if you want, turn off PRs, issues, and literally any feedback from the outside world. But most people don't want that.
> and is not sustainable
I 100% agree. People (including people at for profit companies) are taking advantage of the communities that open source maintainers are trying to build and manipulating guilt and a sense of duty to get their way.
The most insidious burnout I see is in disorganized volunteer communities. A volunteer is praised for jumping in with both feet, pushes themselves really hard, is rewarded vocally and often and with more authority, and is often the one applying the most pressure to themselves. There's no supervisor to tell them to pace themselves. And when their view switches from idealistic to realistic and then falls into pessimistic, they view the environment through a toxic lens.
> You can, if you want, turn off PRs, issues, and literally any feedback from the outside world. But most people don't want that.
Literally you cannot, you can turn off "Issues", but you cannot turn of pull requests, Microsoft/GitHub forces you to leave that open for others to submit PRs to your repositories no matter what you want.
Yea, and before we got issue trackers quite commonly issues and code chunks were shared via email lists that quite commonly had online archives. Think things kind of like the LKML.
I thought about this a lot recently and decided that the small, mostly complete, project I work on now, if I release it (I probably will), I will just post an archive somewhere with the source code, like in old days.
> I doubt it is something that the founding fathers of Free Software/Open Source had in mind.
From the beginning, GNU projects welcomed contributions, and discussions of bugs and features were in the public. Sure it was on mailing lists, not on Github, but it was more than just shipping sources with the binaries.
That isn't to say you have to accept third party pull requests and have an open bug tracker to be free software/open source. Sqlite is a famous example that doesn't follow that model.
I dunno, I think at one point there was a similar merge as to what happened with "git and "github" where "open source the licensing" somehow became the same as "open source the collaborative and open software development process", and nowadays people get kind of confused when you say you're doing open source yet you don't accept pull/merge requests.
> the default expectation that authors will be promptly responding to new GitHub issues, bug reports and provide patches for free is insane.
I think there are many insane expectations out there, open source or not, so I don't personally see it that linked with the idea/ideal of open source.
> This is software support, it is a job, it should be paid.
Anything can be paid, nobody says otherwise. Some people prefer nobody pays for their source code (open source). Other people do support for free. And so on.
> The currently default model of having ... has nothing to do with open source and is not sustainable.
There were always arguments why open source will not be sustainable, many having some truth in them. But the current issue can be probably solved with some push-back on the speed of things or how attribution works. Something similar used to happen on some forums: you can't post a new thread for one month if you did not reply at least once without getting down-voted. For the current problem : if contributions are anonymous for the first 3 years of you contributing (if you are not banned) and your name becomes public only after, then all this "noise" for "advertisement" will die. Doubt this will discourage any well intentioned contributor.
Irrelevance. The moment you paywall a project, it’s a death sentence. Unless you have a unique and highly sought-after product (top 1%), someone else will just make a free alternative.
Totally agree. The expectations around what an OSS project should - or even must - have, do, and accommodate is absolutely insane. It boggles my mind sometimes as someone who grew up on OSS. I still contribute OSS and maintain some (small) projects, but I certainly don't feel compelled to support people. I often license MIT. People are grown ups, they can go fix their own issues.
You mischaracterize the problem. You write like the problem would be corporate freeloaders forcing bug fixes on the open source.
Huge problem for successful OSS projects is like what we have for cURL right here - newbies trying to "earn badge of honor" for scoring CVE on high profile project. The variation of it is newbies trying to score OSS contribution on high profile project (hacktoberfest).
In the end all of it is propping own CV to land a software engineering job or cybersecurity job by wannabes.
As much as I don't want to do gatekeeping and especially "old" Linus Torvalds way of gatekeeping — cURL, Linux Kernel and many high profile projects require gatekeeping to go on forward. We didn't even start on the security side of things not to allow "shady contributors".
I hate "CV proppers", "OSS as great marketing tool", "corporate freeloaders", "APT threat actors using OSS as attack vector" because they break nice things that we could have.
The original model works, the new model significantly fails. LLMs have taken many cases that were on the border over the line into failure, by changing the resource management tradeoffs. (Both by giving valuable contributors a cheap way to get 'extra eyes' on their own terms, and by empowering a new generation of trisectors and trolls to flood out even the most efficient public submission pipelines).
Technically correct, but not an issue in practice. If you want a licence that's approved by the OSI but not the FSF, or vice versa, you have to go looking for it. If memory serves there are no licences in the latter category, and the few in the former category are very obscure.
> This is software support, it is a job, it should be paid.
It is paid, even if not in money. It seems like maybe you lack awareness of the other forms of capital and reward that exist, because your framing implicitly insists that financial capital is the only form of capital and that monetary reward is the only form of reward. But there are also a bunch of other forms of capital, like social, cultural, symbolic, etc. which you have missed, and there are non-capital (non-convertible) forms of reward, like feeling good about something. It's the entire reason why permissive licenses still preserve attribution.
To wit, people maintain things literally all the time either purely for prestige, or because being a contributing member of a community, even a small one, makes them feel good, or because knowing that maintaining things leads others to also maintain things. There are both intrinsic and extrinsic non-monetary gains here.
Stallman makes the same critical error in his foundational writings, so at least you're not alone in this.
>people maintain things literally all the time either purely for prestige, or because being a contributing member of a community, even a small one, makes them feel good, or because knowing that maintaining things leads others to also maintain things.
True, but the expectation means that taking on maintenance involves taking on and leveraging a large amount of reputational debt in a very risky way.
If you release something to the world and place yourself in a high-visibility maintainer position, burn out on it and then decide to drop it, it's very hard to ensure that your legacy and reputation in perpetuity will be "released something great and did the world a solid by maintaining it for a while" as opposed to "person who overcommits, bails, and leaves the world in a jam".
I've been helping a bit with OWASP documentation lately and there's been a surge of Indian students eagerly opening nonsensical issues and PRs and all of the communication and code is clearly 100% LLMs. They'll even talk back and forth with each other. It's a huge headache for the maintainers.
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
Resume glorification and LinkedIn / GitHub profile attention do that.
I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.
Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
At this point I won’t consider any GitHub activity after ~2024 as hiring signals unless it’s very substantial work on high profile projects that clearly have high bars.
> Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
I know someone in a senior engineering position at Epic who does nothing but clean up PR's from their off-shored Ukrainian sweat shop coders handing in AI slop because all they need to do is close a ticket to get paid. They wind up rewriting half or more of it. Epic doesn't seem to care so long as this "solution" works and saves them money by paying a few really smart people to code janitor until hopefully all of them can be replaced by LLMs.
I’m actually of the mind it will be easier IF you follow a few rules.
Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.
Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.
I've seen this - it's tiring even at low volume. Goes something like:
Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps).
Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.
GitHub PM here working on how we can make this problem feel better for maintainers. Really appreciate how tiring this can be, especially when even low volume is sustained for many months.
Would love your thoughts on some of the things we're thinking about:
- Would it help to disable all PRs? All non-contributor PRs?
- Would a "close as admin" button help address the issue of not wanting to be rude or discouraging?
- What about Copilot doing an initial review and proposing to close anything that doesn't meet contribution guidelines - would that help a "close this" decision feel less personal?
You've been getting PRs? All I've ever seen is "can you assign this issue you me" spam and then disappear. I was nice to them for years but now I just delete the comment and block the users.
I contribute regularly to some major open source projects and it’s happening here too. So many issues that aren’t issues. Constant “fixing” of documentation that doesn’t need to be fixed. Bug reports that aren’t bugs, followed by a bad PR “fixing” the “bug.” Or YOLOing an LLM PR to change major behavior that users are relying on. And I click and the authors are always brand new, with only vibe coded or examples projects in their history, and have some truly awful LLM generated GitHub “about me” page complete with emojis and links to their GitHub “projects.”
My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).
It’s so much noise that it’s hard to find the real issues.
GitHub PM here. From what we've seen, you're right about the motivation; I've also seen plenty of job ads where "significant contribution to open source" is something that's called out explicitly as a valid substitute for professional experience in the area. While that's always well-intentioned and creates many benefits for the OSS community, the flip side is that it can also lead to the kind of problems you're seeing. Many new users are also motivated by learning and community, and not familiar enough with the community expectations to know how to seek that differently.
We have tried a lot here in the past (good first issues, more community support for new users), but haven't found a perfect solution yet. Internally, we're looking at options for admins to disable PRs on repos, or limit PRs to collaborators only, for example. From your comment, it seems like part of the challenge you're experiencing as a user is around Issues specifically. We've also been looking at options to delete PRs and Issues individually and in bulk, which could help after the event. Would welcome any feedback on other paths we could take here.
Reminds me of this Indian GitHub tutorial on how to open a PR on GitHub. The video got millions of views and has flooded a specific repo with countless README update PRs of people (mostly Indian) trying to append their name to the README.
they flooded THE major server side js framework and it's happening to this day, every day. Express is something to backend what jQuery was to frontend 15 years ago
I'd argue that the or at least one major reason for the downfall of Stackoverflow (and not just a catalyst) has been a surge of Indian IT people triggering an avalanche of extremely low quality questions and answers. I've been a big fan of SO since about 2010. Not just didn't mind the harsh moderation but actually attribute to it learning how to properly ask a question. But at some point round about 2019/2020 it stopped being fun due to it going from knowledge base to garbage dump.
"According to the story, the British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped, and the cobra breeders set their snakes free, leading to an overall increase in the wild cobra population."
worked well for a bit. but then the program became popular and that’s when it hit the curb. terrible loss, imo. it was a brilliant idea to encourage open source work with a token reward. it relied heavily on good intentions, which quickly disappeared with the popularity.
The funniest/saddest part is that you could just game it on your own repos, you never had to go out and spam any real projects. If you just made 5 PRs in a repo you owned with the appropriate hacktoberfest tags, that was enough to pass the mark and to get the free shirt and stickers.
Usually the protection against such spam is social shame but the internet is now full of people who have no shame because shame was never part of their culture. It would be more effective to use GeoIP in this case.
I wonder how much of it could be stopped just by charging $5 a month to contribute to public open source repos. Even if github gave the $5 back in LLM credits or something it would at least put up a barrier. The reason there is so much traffic from third world countries is because the cost of accessing the internet is effectively zero.
I seem to remember there was a large (indian?) educational YouTuber who did a tutorial on how to use Git where they forked a FOSS repo, made a change to the README.md and then made a PR. This caused a huge influx of garbage PRs for that particular repo and other FOSS repos.
Noticed it in corporate context too. About 40% of the performance feedbacks I saw this year were AI written. India and USA crowd. Everything from Europe looked pretty organic but imagine that’ll change too next cycle
The other side of the coin is that many real bug reports are dismissed out of hand. That is frustrating if you have spent hours or days triaging an issue and have submitted a well-written bug report. It would be useful if projects advertised what their de facto bug report policy is. If it involves snide remarks and pointless bureaucracy ("you did not check this box") then that should be stated to help others avoid wasting time. Perhaps an LLM could help with that: "The likelihood of an external bug report being acted upon is X%, given analysis of past interactions on bug tracker."
I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.
I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.
That person should stop. I give a lot of leeway to anyway who ends with "(English is not my first language, sorry for mistakes)" or if they also post it in their original language (if I'm confused I can machine translate parts of it if the confusion isn't obvious, which it actually always has been for any continental language IME).
Little bit offtopic; is anyone getting more reports of site vulnerabilities I wonder? There are how many AI tools claiming to find those automatically and we get a lot of reports, some even have the tool name on. Thing is, most, well, all so far in the past months, are not true. They seem hallucinations or false positives. We have closed source SaaS products, so these are external scans making these reports.
It's likely because of Google Summer of Code. OWASP has participated as an org several times and it's highly likely that they'll participate this time too.
Students often start making PRs around this time to get more familiar with projects before they can put in a proposal when the time comes.
As someone who's been a programmer for a while now, I feel it's pretty easy to identify slop code and when someone is using an LLM to communicate on issues. I'm not against using LLMs for writing code or even for using it to improve your communication, but it cannot be a substitute for critical thinking.
If I was a maintainer of an OSS project, I'd be more likely to _not_ select students who put out slop PRs, proposals, or messages without thought. And also make this clear in the contributing guidelines so contributors know what they're getting into.
I've noticed this also. But I didn't ascribe it to LLMs, rather figured there is some sort of rogue educator in India who's instructing students to do this on public repos and they just don't know better. But the prof should.
Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.
Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".
Indian here (~15+ years in tech). I've seen this behavior a lot, and unfortunately, I did some of this myself earlier in my career.
Based on my own experience, here are a few reasons (could be a lot more):
1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.
2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.
3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.
Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
This sounds like a real cross-cultural mismatch, but it’s doing too much work with nationality alone. In a lot of Indian (and broader South Asian) work contexts, questioning instructions can be read as challenging authority or admitting incompetence, so people default to executing without asking. That’s often reinforced by education systems and contractor dynamics where producing something quickly feels safer than pausing to clarify.
Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.
The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.
It is cultural - the whole "not losing face" thing. In a project, I once was squad lead - I was onsite, my squad members were in Bangalore of course. Same experience as you. Once I wanted to talk about a piece of code that we need to improve and refactor, and I was acting in good faith calling the dev that commited that code. When I braught up the code on my screen to start a pair programming, he immediately denied having written the code. Unfortunately for him, being a junior, he did not know about git blame - I entered it in the terminal and his name showed up on that code. Still, he would simply just deny that he wrote it. I then took the git commit hash and looked it up in gitlab, able to bring up the MR he created and the reviewer (wasn't me). Even with that on screen, he still denied being the author - with no arguments or alternative reasoning, he just constantly would repeat "No, I haven't written that". "No no, but I haven't written it". I pulled even the JIRA ticket up, that was about that feature and guess what - he was the assigne and moved it to "In Progress" and "Done". Still with that on screen all I got was a "no, haven't written it".
I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.
After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)
I don't know if it is, but I can swear every time I post a job opening (generally contracting work) on LinkedIn 95% of the applicants are Indians/Bangladesh/Pakistanis/Sri Lankans.
I ignore all of their resumes, not because I don't think there's valid individuals among them, I did hire them in the past, but:
1. because the signal to noise ratio is absurd. The overwhelming majority didn't even read the actual post.
2. Even when they are okay developers, communication is always a huge issue. Sync communication in call is though because urdu and other indian area accents are extremely heavy so I really struggle understanding their english, my bad but what can I do about it. If I try to keep it async or chat based then they tend to not ask feedback, clarifications, provide updates, etc. So you feel like you need to micro manage them half the time and they'd rather give you answers to make you immediately happy than surfacing problems.
3. Paying them is always an hassle. Wiring them money through bank accounts is difficult. They generally set up some Paypal or similar service or ask you to pay them on some Hong Kong account from a friend of theirs. I need traceable invoices and simple wires for tax purposes and when sending money to Pakistan multiple times anti-laundering got involved in my country, and we talking low hundreds of euros.
Still, props to the few good ones I've met, they've been critical on some projects of mine. Very professional and knowledgeable. But it's just too bad of a signal/noise ratio, seriously most applicants don't even read job descriptions.
That is a cultural thing, and one of the first things you learn to handle when working tightly together with Indians as an outsider.
I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.
But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.
My guess would be yes, it's cultural. I'm not Indian but spent about 5 months there. Overall my impression was that people act much more on direct feedback.
It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.
People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.
I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.
Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.
Of course it’s cultural, they have to compete with thousands people just like them in environment where human life is cheap and anyone is replaceable. Any authority have huge weight, which comes from historical system how society is separated.
And then any education they receive assumes cheating at exams, then cheat with CV, then cheat with work they do. It’s all about appearances.
I had the same exact experience with an Indian contractor. I requested that he used git instead of Shopify CLI for his changes to a store's theme. He acknowledged my request but kept using the CLI. I once again asked him to use git and even offered a detailed, step-by-step guide on how to pull, branch and then push changes. He absolutely ignored everything and simply kept using the CLI. That was actually amazing to witness. The only hypothesis I have is that it's some kind of cultural thing where asking for help is worse than doing the opposite of what's expected from you. I don't know, but your story supports my hypothesis.
Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.
Many of my Indian friends say it is, but sometimes I feel they can be as self-critical of their country as many Americans are of the USA.
Demographics show that it doesn't have to be cultural - it could just be that India has 9x as many people under the age of 35 compared to the USA. Even if we were culturally similar, for every annoying US youngster "hustling" to try to get employment, there would be 9 early-career Indians doing the same. That alone is enough to drown the "Vox Agora" with Indian voices. Chinese citizens generally don't participate in English-language fora, so their large numbers would be massively under-represented.
If anything else is biasing the populations, the difference in numbers could be even more stark.
I used to work with colleagues from China in contracting and I had the same experience with them. If they don't know something they have hard time saying that they don't know something or don't understand something.
Ficticious Example could be
Q: is this car red?
A: it's not green.
Q: yeah I know it's not green. But is it red?
A: today is Thursday.
One thing I leaned it's not worth pressing forward and causing a scene. Instead it's better to use other ways of finding the information.
When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.
The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.
For reference:
Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.
I ran into this when I went to India to help train our team over there.
I tried specifically asking questions where the correct answer was “no” and they wouldn’t tell me no. In some cases I told them I was expecting them to say “no” and they still wouldn’t do it.
It was very difficult to figure out what they knew or didn’t know without putting them through a test and seeing how they did.
Possibly as a consequence of this, what I have observed working with Indians is a very hierarchical structure in which you have a "lead" or "architect" who spells out what to do and how to do it in minute details and micromanages, and "devs" who execute as instructed.
I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.
I recently heard from a friend that this is due to something called "izzat". Admitting any sort of wrongdoing would reflect poorly on them and their family, to the point they would rather lie or do the wrong thing than damage their family's reputation.
Culture and what companies want there. I was running a operational team with a couple of incredibly talented guys who had been escalation engineers for large software companies in India.
They were trained really hard to "restore" things in a way that hit some minimal level of the SLA, but not really. It created alot of issues initially in the organization as the "don't question anything" had really been ingrained into them. My observation there is that it made many of the useless support engagements I've experienced make sense, and that a place with that level of discipline and process must be pretty awful.
Could be, but there are a number of very popular Youtube and other video based classes/bootcamps (taught and targeted from/to Indian students) that teach how to work with git and github that show how to create PR's and comments in repos, and then a lot of students do that, on public (and popular) repos.
I was contacted by a guy who said he found a vulnerability on my site. Something like phpinfo being available or something. I informed them that I was aware of it and it's not a vulnerability but did offer to give them a small Amazon gift code if they wanted.
This might be part of the motivation. What's pocket change in the west might be good money in the 3rd world.
> At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out
Its incentives. If you’re an Indian student in India, unless you go to a prestigious university, your prospects of landing a job, let alone a good one are very small. Even tech companies that claim to be meritocratic elsewhere, rarely screen resumes beyond the top universities in India. The only other real prospect is to get your resume to stand out. Open source contributions, research papers etc are some ways to do that. And the talented ones make contributions, while the rest just try to fake it in the hopes to make it (it obviously doesn’t work).
There are similar incentives if you want your college application to stand out if you’re trying to go abroad for higher education. And if you’re already outside India, those incentives extend to job applications outside India. If you’re an international student looking for a job, even if you have work experience at known multinational companies, if it’s in India, the experience doesn’t count.
Definitely not. Anyone growing up immersed in face-saving, high pressure, competition and possibly self-help influencers telling them how to achieve will exhibit these sorts of behaviors. Doesn't matter if you're white or black.
there are definitely cultural issues you have to be aware of, and it's not just India, there are many cultures where questioning authority or admitting to uncertainty are less welcome - and some companies and managers reinforce these.
Always consider relative status and power imbalance regardless of nationality too. If someone is afraid to say no you have to factor that in - and 'calling them out on it' is maybe not the most effective reaction, especially if in public.
I always had frustrations with this as a manager until I could establish a personal relationship. Sounds extra hard with short-term remote contractors!
selfishness, laziness, lack of self-awareness, lack of shame, etc are obviously universal traits. But cultures absolutely reinforce them to different degrees. Many cultures around the world are built around the sorts of behaviors we both described.
Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large
Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.
This is hilarious and reminded me of the two stints I had in India, for about 8 months in total at the turn of the century. I was a hippy traveler and asking directions for almost anything was par for the course. I never had anyone local say they didn't know where something was once asked, even though me following their directions lead to the intended target maybe 10% of the time. It was funny and infuriating at the same time :)
Absolutely. I've been traveling for the last 10 years and lived in 50+ countries. I believe that all cultures have unique pros and cons and that the cultural diversity of the world is an amazing thing. There are good and bad people everywhere, so I rarely leave a place with such a strong opinion as the multiple times I've been to India. I really wanted to love India because of their rich history and diversity, but I ended up leaving with a feeling that their culture is overwhelmingly objectively bad.
There are also a lot of Indian students (there are 1.4bn Indians). There are lots of IT jobs, therefore presumably lots of IT students, and unlike in China Internet access (e.g. to GitHub) is not restricted.
I think it's mostly not cultural but just bad engineers lying. IT jobs pays the best in India, and it attracts people who have no skills in IT to just fake their way in.
So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.
It's desperational. The desperation of not having to lose any contract. The desperation of being just one bad year away from being on the streets and having to live a terrible life (no food security).
For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.
volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.
MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.
I think you'll get downvoted to oblivion because outsiders often don't realize the ridiculousness of the whole thing.
I will try to give some context.
To give an example, the CSE undergrad from an average Indian college would've done 500 - 1000 leetcode "problems" for practice. But have little to no idea on how to survive in a UNIX shell, or to troubleshoot an actual problem. Hell, half of them haven't written more than 1000 lines of code for single purpose.
People early in their career (which is most SWEs including yours truly) follow whatever "influencers" on youtube (the local term being bhaiyya-didis), who give them rough "roadmaps" to "crack DSA" or "get high paying remote job". The result is that average CS guy spends most of his time navigating this rat race than studying computer science stuff that matters for the job.
I see similar kind of competition getting created at senior levels too, in the terms of people grinding theory and blog posts on "system design" interviews. I am not old^H^H^H senior enough to comment on it, though.
But it was not all bleak. IIRC, We were producing quite few good OSS contributions through GSoC, LFX etc... until few years ago (not considering my own among good ones). There were talented 1% or so (I known a few very talented people in personally). Nowadays these "hustler" variety people have started "How to crack GSoC" roadmaps [sic] too, and the spamming quoted above see may be related to this. This sort of insane rat race is not good for talented people. It's not good for companies either. Recruitment is basically lottery at higher levels too; I have seen people use AI to shamelessly lie on their resumes and get hired etc... Some of these problems may be present in west but India's scale makes some of these problems difficult.
Because their usernames are Indian and profiles have links to Indian universities, and sometimes descriptions of the 101 classes they're currently taking. That doesn't stop them from saying things like "I see this sort of vulnerability all the time"
Subjecting every real contributor to the "AI guardian" would be unfair, and shadow banning is ineffective when you're dealing with a large number of drive-by nuisances rather than a small number of dedicated trolls. Public humiliation is actually a great solution here.
It sounds funny, but it's not. I once issued a bug to them that didn't have enough information about how to reproduce... and I was lambasted on Reddit and eventually just deleted my account there it was so terrifying. Some dev teams do not mess around. In fact I've shied off most social media since and no longer issue bug reports to any company, I was scarred deep over the treatment.
I've read their reports before. When there's not enough information to reproduce, they do a good job of asking for more information first, and I've never seen a reasonable good-faith report elicit anything overt.
If you failed to give them proper reproduction information when asked, then yeah, you were wasting their time and they should rightfully close your issue.
I've never seen anyone on the curl team undeservedly "lambast" someone, and for a project that has a quite good reputation, I think the burden of proof is on you. Can you link to these supposedly terrifying comments?
It says in the curl file that they will ridicule time-wasters in public and here is one pression confirming that it happened to them, yet somehow that's not enough? Come on.
But at the same time, sometimes you have to really persevere to get a bug fixed.
Consider the perspective of the maintainer of a popular project: to them, you're one person in a big queue of people all reporting problems. Most issues turn out to be "I need free technical support, which you don't offer, so I'll phrase it in the form of a bug", and it saps their time to look into the details of each issue to find whether it's genuine-bug or user-error.
So that's why you should try to give reproduction instructions as best you can, and be up-front if they're incomplete, or you only saw it happen once.
If the maintainer responds harshly, or even if you get commentary from others, remember they are (or should be) criticising the bug report, not you. Try not to take it personally.
And even if they decide to close it, or not investigate further, you've still done the world a favour by adding genuine details about something you saw. The bug report is still searchable when closed. Other people who get the same problem as you are likely to find it, and it might spur them to reproducing the bug where you couldn't, and re-opening or re-reporting the bug and driving it forward to completion.
That surprises me -- from what I've seen, Daniel is actually remarkably tolerant of incomplete/unclear reports. (Too tolerant.) But I imagine that could depend on the day.
(Now, if you used AI to generate the report, well... that's different. Especially if you didn't disclose it up front.)
On the flip side I’ve been following him for a while on Mastodon.
I’ve basically watched the AI crap cycle go from “this is a weird report, oh it’s fake” to “all the reports are trash, it’s so hard to find real humans in the flood” through his posts.
I suspect I would’ve stepped down long ago. I feel so bad for the open source maintainers who are just being assaulted with nonsense.
Please ignore everyone else and do not share any more information about this experience or yourself. These people do not have your best interests in mind and will not mind, or are intending to, make this experience even worse for you.
He rubs me the wrong way, too. Curl is overhyped and a pain to work with. And he's getting high on the "success" while crying about not being paid for something he offers for free. I think Americans have a nice phrase about having cake and eating it, too.
Not only is cURL not overhyped, it’s absolutely false that Daniel “[cries] about not being paid for something he offers for free”. He does get paid for cURL support.
He does criticise rich companies who don’t do anything to support cURL and demand preferential support, but that’s not the same thing (and does warrant criticism).
Seems like a lot of the problems had by the low friction of first eternal september and now LLM genrated reports and contributions, could be resolved by restoring friction. First time reporters/contributers could be required to send their report or PR by paper mail. Strict requirements for the sender: all text printed on postcards (no letter opening) as QR or other data codes according to a standard formatting. Anything even slightly off goes straight to the trash, high signal/interest contributors can still get their foot in the door.
The eternal-september; or its international equivalent, kills things because the nature of the public you are interacting with has changed.
These issues with reports and junk contributions come about because there is a huge payoff for pretending to be part of the community, but the benefit from actually contributing is generally less direct.
I dont think you can solve this with "friction", because the people you want to dissuade are more tolerant to these kinds of barriers than the ones you want invite in.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
Projects are not going to be so open open their development process if they have to keep wading through emoji-filled and erroneous PRs. The Bazaar doesn't work so well if nobody can get around the piles of manure that are being delivered
It's not just open projects, it's anything that accepts unvetted information at all. Bug lists full of shit. Forums full of shit. News feeds full of fake shit. Ads full of fake shit. Cultural zeitgeist full of fake shit.
Culture and society has not figured out how to inoculate themselves yet.
This kind of automated industrial output is the foundation of our culture, it's not surprising that we aren't prepared for the virtual grey-goo of the LLM era that is our milieu brought to it's acme.
I am friends with a solo maintainer of a major open source project.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
As a human being I really enjoy knowing things and being challenged to grow.
While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.
We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from
OpenAI is nothing.
Kryptos K4 seems to me like a potential candidate for AI systems to solve if they're capable of actual innovation. So far I find LLMs to be useful tools if carefully guided, but more like an IDE's refactoring feature on steroids than an actual thinking system.
LLMs know (as in have training data) everything about Kryptos. The first three messages, how they were solved including failed attempts, years of Usenet / forum messages and papers about K4, the official clues, it knows about the World Clock in Berlin, including things published in German, it can certainly write Python scripts that would replicate any viable pen-and-paper technique in milliseconds, and so on.
Yet as far as I know (though I don't actively follow K4 work), LLMs haven't produced any ideas or code useful to solving K4, let alone a solution.
Yeah, you would suspect that the individual elements of solving K4 exist in some LLM, but so far the LLM slop answers are just very confident and very wrong.
My biggest complaint is that the users aren’t skeptical. They don’t even ask the LLM to verify if the answer it just generated matches the known hints from the puzzle artist. Beyond that, they don’t ask it to verify whether the decryption method actually yields the plaintext it confidently spit out.
I’m super impressed with Claude Code, though. For my use case, planning and building iOS app prototypes, it is amazing.
Medical? What's the point? I'm happy with 98% of doctors being able to handle known conditions and only the few percent that are really interested to do research.
I think this is probably less effective than if there was some sort of "credit" or reputational score for reporting that seems like something GitHub would have the information to implement.
Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.
I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.
I think one of the last thing I'd like on the web is for Microsoft to start keeping a "social score" for developers who participate in FOSS.
I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.
Why no go the other direction and make it hard to identify a user, so people do not do it for fame. Open source worked before people were using it as self advertisement.
Might even be good for Microsoft - they would be the only one knowing who is who.
the berne convention copyright defines inalienable authors rights that can not be sold or taken away from the author. the author of any copyright works always has the right to identify themselves with the work, and therefore your suggestion is not legally possible.
This already exists on the previous platform curl was using (HackerOne), it does not prevent the slop.
At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.
Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.
Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.
Readit News
It initially got some decent traction and then all of a sudden, all the pull requests came, all the feature requests and then all the bug reports.
I kept telling people this was a side project, if they want to fork it go ahead, but this is not something I'm going to spend a ton of time on. Then all the hate started about how I put something out into the OSS community with no desire to support it. I was bad person, my code was shit and I should stop being a developer.
That was my first and last OSS project.
I applaud and respect the people who are committed to getting OSS out there, but for me, it was a horrible experience.
With free software, many projects have their own code hosting with separate accounts, sometimes even separate bug trackers with another set of accounts (think Bugzilla + GitLab). Any submission is by definition bigger effort, and thus the culture is significantly different.
As an example, just try submitting a patch to GNU libc (if it hasn't switched to GitHub in the intervening years, though I'd be surprised as it's a GNU project, but it's also largely supported by Red Hat), and see where you get to. Or join the GNOME community and submit a fix. Or FreeDesktop. Or KDE. Or...
If you allow me to go on a meandering tangent/exploration:
___
I mean if you think about it, this outcome is more or less inevitable, given the environment we've created.
The foundational building block being that people will always optimize for their own benefit and personal gain. They fundamentally have to, because no one else will. So that gives us a natural source of conflict, because not everyone is a builder (or at least not everyone believes that they would), meaning that they need to get someone else to do what they want to get done.
You as a builder of course operate no different to that. You also want to optimize for your own personal gain. Where it is different though is that you do not rely that much on external resources to do that, given that you can create by your own.
So these are our building blocks.
To have a functioning societal system, we do want and need to allow people that don't to receive a decent-ish slice of the output of those that create for various reasons.
Something something shared humanity, but also the fact that a society built out of autonomous builders quickly collapses. Plus multi-dimensionality, meaning that person A might be a builder in discipline X, but needs others to sustain themself in discipline Y. Society and all. Shared workload.
The mechanism that regulates the flow of resources between these agents is friction.
For example, social shaming for not sharing the fair part of what you're earning is friction. That is a constant eroding force and cost that is supposed to shift your internal mental calculus to make contributing to society the most sensible outcome.
Equally so, the act of being protective of your time, demanding respect, boundaries and fair compensation is friction that is supposed to shift someone else's mental calculus to make fair treatment of you the most sensible outcome.
____
Okay, many words, but what the fuck am I on about?
Here's where this self-regulating system implodes:
In the last two decades or so, we have absolutely supercharged the mechanism of shaming and public pressure (rel: Twitter).
Simultaneously though, we've also _vastly_ nerfed any forms of friction a builder might employ. (rel: GitHub as the default, being "nice and professional" as the default, etc.)
And that is what simply is not working. But we're not talking about that properly, because any platforms we currently have for talking about stuff are absolutely and utterly dominated by those that do not create; meaning that they get to dictate the rules.
In a very unsustainable way of course (see also collapse of democracy in general) but that is still the reality we find us in.
___
And that is _I think_ also where we can find solutions to these problems. Don't get me wrong, I'm not proposing to return to linus and tell people that they should be retroactively aborted for having made a mistake. There were many very important advancements we made culturally to push out toxicity.
We will need to reintroduce friction though.
Likewise, we will need re-engineer our communication spaces to shift the balance of power back to a sustainable equilibrium. Which doesn't mean "cold uncaring meritocracy" (also, what even is merit?) but it will mean not handing out ever-larger megaphones based on who is already screaming the loudest.
___
Anyway, TL;DR:
It's the system, stupid. It is like this, because it can't be any else given the currently governing rules.
Thanks for attending my Ted Talk.
The project managers also get a cut of all merges, testers also must approve of the merge and that feature X is the one they want. So the project manager gets to work and improve/reject features, the user gets control over the features of the project they want and developers get to pick specific features they would like to work on (sort of). everybody gets what they want (sort of). All via attaching $ to the issues of the software, not the people.
Have a bot on GitHub that nags people about the pool of committed money towards each feature, to show that they care about it - with the money being placed into an escrow and being released once the feature is implemented and merged, or until a date is reached with no merge and it's given back to everyone / or when the request is closed with no changes. Ofc no idea how you'd validate each individual issue well enough to prevent someone from misusing it, but one could feasibly create such a system, even if it'd probably get a lot of opposition from everyone.
It might be good to have such a system as an option, but I wouldn't want it to become an expectation. I've got a couple of side projects that are out on GitHub. They have open source licenses and anyone is welcome to fork them, send bug reports, or pull requests, but I don't want to have any obligation of supporting those projects.
- A business has some intrinsic motivation however minuscule to fix unsexy issues like security problems or problems that aren't as visible to customers so they don't get hacked and sued and go under; in a pay-what-you-want bounty scheme all of your users are playing chicken to not be the one to put up the money for the fix. Instead they'll wait until it becomes a problem and fix it in their own branch; no reason to bother upstreaming it until someone comes forward putting up the money.
- IMO there's no way to measure cuts for something like this that can't be gamed. If you close out the bountied issue, but you make use of a bunch of utility code I contributed last week, who gets it? Or if the code I contributed is mostly a mechanical refactor of some very complex code someone else wrote? Do we divvy it up by lines of code, number of commits, etc, and that's just for the squint-and-it's-qualifiable metrics for engineers. No idea how you'd measure a cut for project managers. Someone also may be the steward of the repository and handle administrative work but not do a whole lot of feature-fixing, what cut do they get? Instead of juggling KPIs you can just pay all these people for their common contribution - time - and then you're back at something that businesses do really well.
- For any bounty system to work you need somewhere to track the bounties and hold money in escrow for payouts. Those services exist, they cost money to run, and they are going to take a cut. I'd assume they'd also invest and grow that money while they have it unless that's illegal for some reason I'm not aware of. An incorporated business keeps its bounties in the issue tracker, and its money in an account that accumulates interest that can go toward further development on the actual product instead of third-party support services. Crypto is a no-go here because that limits your contributor pool to exclusively crypto perverts, otherwise normal people have to speculate on it and convert it to normal useful money for a fee.
- I've worked at a place where the devs got to work on whatever they wanted. Required to, really, because there was very little interest or hands-on management from the owner in the direction of the product as long as sales were stable. We had a great time and got paid and we all learned a lot on company time and last I checked they are no longer in business.
- Timelines are a big factor too. If some open-source software I'm using is missing a big feature I'd like (and if post-2024, it's too substantial to just make a copy and have Copilot customize it for my use) I'm still not going to kick in the first $10 in the hopes that somebody someday builds that feature for me. I'm going to be dead or not using the software by then. If I thought the feature I wanted was worth $10,000 and I had $10,000 to kick towards it in the hopes that somebody somewhere would decide to build it, I would instead hire somebody on contract terms to do the work with a greater guarantee of results and some recourse if they screw me.
Free Software sure, that wasn't the point.
Open Source, that was exactly the point. Eric S Raymond, one of the original promoters of the concept of Open Source coined Linus' Law:
Which definitely points in the direction of receiving bug reports and patches from users of the application. He was also a proponent of the Bazaar model, where software is developed in public, as opposed to the Cathedral model where software is only released in milestones (he used GCC and Emacs as examples, which reinforces the part of your statement about the Free Software movement in particular).They did have things like trolls and zealots that thought "Their one idea" was a gift from god and the maintainers were idiots for not adding it to the application. And eventually those people may have been banned from mailing lists. But in general the people posting code were typically well known and had some interest in fixing the application for some useful purpose.
Simply put, no idealism stands the test of time without change. Nature shows us that everything must evolve or it goes extinct. How 'free software' evolves is now up for debate.
It’s up to you to set boundaries (or prices) and communicate them, like an adult. If one is still rude and entitled then ban them from the repo, or let people fork, but not before looking in the mirror first and reflecting at your own behavior.
(I’m trying to imagine folks painting xfree86 maintainers as victims back in the day when xorg forked them for intransigence. The point is disagreements happen, deal with them.)
... Did they try anything as petty as the xorg maintainers are nowadays?
How long does something have to be done a certain way for it to be "to do with"?
I would say we're now two generations deep of software engineers who came up with open source software commonly being mediated through public issue trackers.
That isn't to say it needs to stay that way, just that I think a lot of people do in fact associate public project tracking with open source software.
I partially disagree. It does have to do with open source: Github (et al) are about creating a community around an open source project. It's hard to get adoption without a community; it gives you valid bug reports, use cases you didn't think of, and patches.
You can, if you want, turn off PRs, issues, and literally any feedback from the outside world. But most people don't want that.
> and is not sustainable
I 100% agree. People (including people at for profit companies) are taking advantage of the communities that open source maintainers are trying to build and manipulating guilt and a sense of duty to get their way.
The most insidious burnout I see is in disorganized volunteer communities. A volunteer is praised for jumping in with both feet, pushes themselves really hard, is rewarded vocally and often and with more authority, and is often the one applying the most pressure to themselves. There's no supervisor to tell them to pace themselves. And when their view switches from idealistic to realistic and then falls into pessimistic, they view the environment through a toxic lens.
Then they vanish.
Literally you cannot, you can turn off "Issues", but you cannot turn of pull requests, Microsoft/GitHub forces you to leave that open for others to submit PRs to your repositories no matter what you want.
Just a note, you actually can't turn off PR's on Github repos. At least not permanently.
From the beginning, GNU projects welcomed contributions, and discussions of bugs and features were in the public. Sure it was on mailing lists, not on Github, but it was more than just shipping sources with the binaries.
That isn't to say you have to accept third party pull requests and have an open bug tracker to be free software/open source. Sqlite is a famous example that doesn't follow that model.
FOSS means that the code to be free and open-source, not the schedule or the direction of its developer(s).
I think there are many insane expectations out there, open source or not, so I don't personally see it that linked with the idea/ideal of open source.
> This is software support, it is a job, it should be paid.
Anything can be paid, nobody says otherwise. Some people prefer nobody pays for their source code (open source). Other people do support for free. And so on.
> The currently default model of having ... has nothing to do with open source and is not sustainable.
There were always arguments why open source will not be sustainable, many having some truth in them. But the current issue can be probably solved with some push-back on the speed of things or how attribution works. Something similar used to happen on some forums: you can't post a new thread for one month if you did not reply at least once without getting down-voted. For the current problem : if contributions are anonymous for the first 3 years of you contributing (if you are not banned) and your name becomes public only after, then all this "noise" for "advertisement" will die. Doubt this will discourage any well intentioned contributor.
What's stopping any open source maintainer from charging for their work?
Huge problem for successful OSS projects is like what we have for cURL right here - newbies trying to "earn badge of honor" for scoring CVE on high profile project. The variation of it is newbies trying to score OSS contribution on high profile project (hacktoberfest).
In the end all of it is propping own CV to land a software engineering job or cybersecurity job by wannabes.
As much as I don't want to do gatekeeping and especially "old" Linus Torvalds way of gatekeeping — cURL, Linux Kernel and many high profile projects require gatekeeping to go on forward. We didn't even start on the security side of things not to allow "shady contributors".
I hate "CV proppers", "OSS as great marketing tool", "corporate freeloaders", "APT threat actors using OSS as attack vector" because they break nice things that we could have.
Who cares? That was 30 years ago. How different were computers, programming, and the world back then?
Things change over time. The world is not immutable.
Untrue. Shopping source with _some_ OSI-approved licenses makes the work Free software. Shipping it with others merely makes it open source software.
It is paid, even if not in money. It seems like maybe you lack awareness of the other forms of capital and reward that exist, because your framing implicitly insists that financial capital is the only form of capital and that monetary reward is the only form of reward. But there are also a bunch of other forms of capital, like social, cultural, symbolic, etc. which you have missed, and there are non-capital (non-convertible) forms of reward, like feeling good about something. It's the entire reason why permissive licenses still preserve attribution.
To wit, people maintain things literally all the time either purely for prestige, or because being a contributing member of a community, even a small one, makes them feel good, or because knowing that maintaining things leads others to also maintain things. There are both intrinsic and extrinsic non-monetary gains here.
Stallman makes the same critical error in his foundational writings, so at least you're not alone in this.
(A foundational read on the subject of the different forms of capital is Pierre Bourdieu's The Forms of Capital: https://www.scribd.com/document/859144970/P-Bourdieu-the-For...)
(See also: https://en.wikipedia.org/wiki/Motivation#Intrinsic_and_extri...)
True, but the expectation means that taking on maintenance involves taking on and leveraging a large amount of reputational debt in a very risky way.
If you release something to the world and place yourself in a high-visibility maintainer position, burn out on it and then decide to drop it, it's very hard to ensure that your legacy and reputation in perpetuity will be "released something great and did the world a solid by maintaining it for a while" as opposed to "person who overcommits, bails, and leaves the world in a jam".
I suggested following what Ghostty does where everything starts as discussions - only maintainers create issues, and PRs can only come from issues. It seems like this would deter these sorts of lazy efforts.
Resume glorification and LinkedIn / GitHub profile attention do that.
I am seeing a lot of people coming up with perceived knowledge that's just LLM echo chambers. Code they contribute comes straight out of LLMs. This is generally fine as long as they know what it does. But when you ask them to make some changes, some are as lost as ever.
Torvalds was right, code maintenance is going to be a headache thanks to LLMs.
Thanks to their LLM reliance they'd soon not know what it does, and forget even the little they know about coding
I know someone in a senior engineering position at Epic who does nothing but clean up PR's from their off-shored Ukrainian sweat shop coders handing in AI slop because all they need to do is close a ticket to get paid. They wind up rewriting half or more of it. Epic doesn't seem to care so long as this "solution" works and saves them money by paying a few really smart people to code janitor until hopefully all of them can be replaced by LLMs.
I wondered why people would video themselves going around slapping strangers in public then shouting "its just a prank bro" - turns out it works.
I’m actually of the mind it will be easier IF you follow a few rules.
Code maintenance is already a hassle. The solution is to maintain the intent or the original requirements in the code or documentation. With LLMs, that means carrying through any prompts and to ensure there are tests generated which prove that the generated code matches the intent of the tests.
Yes, I get that a million monkeys on typewriters won’t write maintainable code. But the tool they are using makes it remarkably easy to do, if only they learn to use it.
Someone creates a garbage issue. Someone else asks to be assigned. Someone from the project may say "we don't assign issues" (this step has zero effect over later steps). Someone else submits a PR. Maybe someone else will submit another PR. Maintainers then agonise how they can close issues and PR(s) without being rude or discouraging to genuine efforts.
Would love your thoughts on some of the things we're thinking about: - Would it help to disable all PRs? All non-contributor PRs? - Would a "close as admin" button help address the issue of not wanting to be rude or discouraging? - What about Copilot doing an initial review and proposing to close anything that doesn't meet contribution guidelines - would that help a "close this" decision feel less personal?
My suspicion is somehow the perception became that if you’re brand new and land a PR in a major open source repo (even as simple as rewording a phrase in a doc that doesn’t need to be reworded), that would help them get a job (they’re always Open to Work on their GitHub about me page).
It’s so much noise that it’s hard to find the real issues.
We have tried a lot here in the past (good first issues, more community support for new users), but haven't found a perfect solution yet. Internally, we're looking at options for admins to disable PRs on repos, or limit PRs to collaborators only, for example. From your comment, it seems like part of the challenge you're experiencing as a user is around Issues specifically. We've also been looking at options to delete PRs and Issues individually and in bulk, which could help after the event. Would welcome any feedback on other paths we could take here.
Article about it here: https://socket.dev/blog/express-js-spam-prs-commoditization-...
https://ongchinhwee.me/shitoberfest-ruin-hacktoberfest/
From https://en.wikipedia.org/wiki/Perverse_incentive
"According to the story, the British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped, and the cobra breeders set their snakes free, leading to an overall increase in the wild cobra population."
There’s a lot to dislike about shame as an enforcement mechanism but I’m starting to miss some of the upside it delivered.
https://joel.net/how-one-guy-ruined-hacktoberfest2020-drama
I was reading some GitHub comments earlier and the AI tone and structure in the comments posted by some users made me feel really uneasy for some reason.
I know a Brazilian who puts lots of emails through ChatGPT because they aren't confident in their English, but this seemed to be AI generating the majority of the content of the message too.
Check the closed PR's on express https://github.com/expressjs/express
Yikes!
Students often start making PRs around this time to get more familiar with projects before they can put in a proposal when the time comes.
As someone who's been a programmer for a while now, I feel it's pretty easy to identify slop code and when someone is using an LLM to communicate on issues. I'm not against using LLMs for writing code or even for using it to improve your communication, but it cannot be a substitute for critical thinking.
If I was a maintainer of an OSS project, I'd be more likely to _not_ select students who put out slop PRs, proposals, or messages without thought. And also make this clear in the contributing guidelines so contributors know what they're getting into.
would be so awesome if github supported all that. probably kills their business model though
Is this cultural? I ran a small business some years ago (later failed) and was paying for contract work to various people. At the I perceived the pattern that Indian contractors would never ever ask for clarifications, would never say they didn't know something, would never say they didn't understand something, etc. Instead they just ran with whatever they happened to have in their mind, until I called them out. And if they did something poorly and I didn't call them out they'd never do back as far as I can tell and wonder "did I get it right? Could I have done better?". I don't get this attitude - at my day job I sometimes "run with it" but I periodically check with my manager to make sure "hey this is what you wanted right?". There's little downside to this.
Your comment reminded me of my experience, in the sense that they're both a sort of "fake it till you make it".
Based on my own experience, here are a few reasons (could be a lot more):
1. Unlike most developed countries, in India (and many other develping countries), people in authority are expected to be respected unconditinally(almost). Questioning a manager, teacher, or senior is often seen as disrespect or incompetence. So, instead of asking for clarification, many people just "do something" and hope it is acceptable. You can think of this as a lighter version of Japanese office culture, but not limited to office... it's kind of everywhere in society.
2. Our education system mainly rewards results, not how good or well-thought-out the results are. Sure, better answers get more marks, but the gap between "okay" and "excellent" is usually not emphasized much. This comes from scale problems (huge number of students), very low median income (~$2400/year), and poorly trained teachers, especially outside big cities. Many teachers themselves memorize answers and expect matching output from students. This is slowly improving, but the damage is already there.
3. Pay in India is still severely (serioualy low, with 12-14+ hour work days, even more than 996 culture of China) low for most people, and the job market is extremely competitive. For many students and juniors, having a long list of "projects", PRs, or known names on their resume most often the only way to stand out. Quantity often wins over quality. With LLMs, this problem just got amplified.
Advice: If you want better results from Indian engineers(or designers or anyone else really), especially juniors (speaking as of now, things might change in near future), try to reduce the "authority" gap early on. Make it clear you are approachable and that asking questions is expected. For the first few weeks, work closely with them in the style you want them to follow.. they usually adapt very fast once they feel safe to do so.
Add in time zones, language friction, and fear of losing work, and "just run with it" becomes a rational strategy. Meanwhile, many Western workplaces treat clarification and check-ins as professionalism, so the behavior reads as strange or careless.
The key point is that this usually isn’t lack of curiosity or reflection, but risk management under different norms. The pattern often disappears once expectations are explicit: ask questions, check back, iteration is expected.
I had more of those interactions, and we also exchanged some of the indian devs (they were sold to the client by a big consulting group, and immediately replaced by someone else if we wished). I later found out, people that I have had replaced in my sqaud for not being qualified, ended up in different teams in the same corporation, they were basically just moving around inhouse.
After a few month in the project I swore to myself never to work with offshores again. And as a side note, the bank I did the project with, does not exist anymore :)
I ignore all of their resumes, not because I don't think there's valid individuals among them, I did hire them in the past, but:
1. because the signal to noise ratio is absurd. The overwhelming majority didn't even read the actual post.
2. Even when they are okay developers, communication is always a huge issue. Sync communication in call is though because urdu and other indian area accents are extremely heavy so I really struggle understanding their english, my bad but what can I do about it. If I try to keep it async or chat based then they tend to not ask feedback, clarifications, provide updates, etc. So you feel like you need to micro manage them half the time and they'd rather give you answers to make you immediately happy than surfacing problems.
3. Paying them is always an hassle. Wiring them money through bank accounts is difficult. They generally set up some Paypal or similar service or ask you to pay them on some Hong Kong account from a friend of theirs. I need traceable invoices and simple wires for tax purposes and when sending money to Pakistan multiple times anti-laundering got involved in my country, and we talking low hundreds of euros.
Still, props to the few good ones I've met, they've been critical on some projects of mine. Very professional and knowledgeable. But it's just too bad of a signal/noise ratio, seriously most applicants don't even read job descriptions.
I can't remember all the techniques but a simple trick is to ask them to repeat their understanding back to you before they start working on a thing.
But I don't think it's connected to sending "malicious" reports. That seems rather to be to pad their resume and online presence while studying to get an edge in hiring.
It would be typical to do the first thing that comes to mind, then see what happens. No negative feedback? Done, move on. Negative feedback? Try the next best thing that makes the negative feed back go away.
People will not wonder whether they might bother you. Just start talking. Maybe try to sell you something. That's often annoying. But also just be curious, or offer tea. You react annoyed and tell them to go away? They most likely will and not think anything bad of it. You engage them? They will continue. Most likely won't take "hints" or whatever subtle non-verbal communication a Westerner uses.
I found it quite exhausting in the beginning, it feels like constantly having to defend myself when I want to be left alone. But after I started understanding this mode and becoming more firm in my boundaries, I started to find it quite nice for everyday interactions. Much less guessing involved, just be direct.
Professionally I haven't worked much with Indians, but my expectation would be that it's necessary to be more active in ensuring that things are in track. Ask them to reflect back to you what the stated goal is. Ask them for what you think are obvious implications from the stated goal to ensure they're not just repeating the words. Check work in progress more often.
Ask culture scales a lot better in a fast changing world full of strangers. Guess culture saves friction, but only in situations where people are mostly guessing correctly because the social structure and expectations are fixed.
Many of my Indian friends say it is, but sometimes I feel they can be as self-critical of their country as many Americans are of the USA.
Demographics show that it doesn't have to be cultural - it could just be that India has 9x as many people under the age of 35 compared to the USA. Even if we were culturally similar, for every annoying US youngster "hustling" to try to get employment, there would be 9 early-career Indians doing the same. That alone is enough to drown the "Vox Agora" with Indian voices. Chinese citizens generally don't participate in English-language fora, so their large numbers would be massively under-represented.
If anything else is biasing the populations, the difference in numbers could be even more stark.
Deleted Comment
Ficticious Example could be
Q: is this car red? A: it's not green. Q: yeah I know it's not green. But is it red? A: today is Thursday.
One thing I leaned it's not worth pressing forward and causing a scene. Instead it's better to use other ways of finding the information.
When guiding team members I always found it useful to have them explain back to me in their own words what they're tasked to do. It become immediately obvious if they were on the right track or not.
The people having a terrible time with Indian contractors always deal with folks making 3k-10k USD/year. Of course the quality is bad.
For reference:
Good Indian devs out of college make atleast 30k USD. Good senior devs make atleast 50k. The really good ones make much more. Most American companies outsource to bottom of the barrel contracting companies like Infosys.
0: https://en.wikipedia.org/wiki/Face_(sociological_concept)
I experienced this same thing working with offshore Indian contractors 20 years ago. Interesting to hear someone else echo my observations.
I tried specifically asking questions where the correct answer was “no” and they wouldn’t tell me no. In some cases I told them I was expecting them to say “no” and they still wouldn’t do it.
It was very difficult to figure out what they knew or didn’t know without putting them through a test and seeing how they did.
I've worked with mixed nationality teams at a certain 4 letter austinite corporation a couple thousand moons ago. One thing in common with my Asian colleagues back then (many of which i still keep in touch with to this day), is that they would usually refrain from saying things that could rock the boat or disappoint you. If they lacked knowledge for the task at hand, they wouldn't let you know. If they were late on a delivery, they'd insist it would be ready by a certain date. This led to situations where other regional managers would have to plan contingencies to work around the issue.
https://burakpsych.weebly.com/uploads/5/6/0/6/56066915/ethni...
https://en.wikipedia.org/wiki/Power_distance
https://en.wikipedia.org/wiki/Hofstede%27s_cultural_dimensio...
They were trained really hard to "restore" things in a way that hit some minimal level of the SLA, but not really. It created alot of issues initially in the organization as the "don't question anything" had really been ingrained into them. My observation there is that it made many of the useless support engagements I've experienced make sense, and that a place with that level of discipline and process must be pretty awful.
https://news.ycombinator.com/item?id=24658052
Indian students have a long history of disrupting free/libre projects, this is nothing new
> Is this cultural?
Could be, but there are a number of very popular Youtube and other video based classes/bootcamps (taught and targeted from/to Indian students) that teach how to work with git and github that show how to create PR's and comments in repos, and then a lot of students do that, on public (and popular) repos.
There are a couple very famous examples of this.
This might be part of the motivation. What's pocket change in the west might be good money in the 3rd world.
Sounds like an LLM
Its incentives. If you’re an Indian student in India, unless you go to a prestigious university, your prospects of landing a job, let alone a good one are very small. Even tech companies that claim to be meritocratic elsewhere, rarely screen resumes beyond the top universities in India. The only other real prospect is to get your resume to stand out. Open source contributions, research papers etc are some ways to do that. And the talented ones make contributions, while the rest just try to fake it in the hopes to make it (it obviously doesn’t work).
There are similar incentives if you want your college application to stand out if you’re trying to go abroad for higher education. And if you’re already outside India, those incentives extend to job applications outside India. If you’re an international student looking for a job, even if you have work experience at known multinational companies, if it’s in India, the experience doesn’t count.
It’s all about incentives and responding to them.
Always consider relative status and power imbalance regardless of nationality too. If someone is afraid to say no you have to factor that in - and 'calling them out on it' is maybe not the most effective reaction, especially if in public.
I always had frustrations with this as a manager until I could establish a personal relationship. Sounds extra hard with short-term remote contractors!
Whereas other cultures have at least some (if not a lot of) resistance to it - eg publicly ridiculing when people step flagrantly out of line. This is good. My impression is that British culture is like this - "taking the piss", or worse, out of people whose egos start to get too large
Edit: what about this comment could possibly be worth a downvote...? Not that I care about points, but it just seems to be an objective assessment of human nature and cultures, without even singling out any cultures that need improvement.
Absolutely. I've been traveling for the last 10 years and lived in 50+ countries. I believe that all cultures have unique pros and cons and that the cultural diversity of the world is an amazing thing. There are good and bad people everywhere, so I rarely leave a place with such a strong opinion as the multiple times I've been to India. I really wanted to love India because of their rich history and diversity, but I ended up leaving with a feeling that their culture is overwhelmingly objectively bad.
In my experience, yes, but I hope that's just my personal experience over the past 20 years.
it's interesting how it parallels the issue with llms today, they are basically perverse instantiation genies. your wish is my command.
So for every good developer in India there are probably 20 bad ones who have no idea what they are doing.
For students, often there is no pathway to actually become good due to lack of resources. So, the only way is to fake it into a job and then become good.
Dead Comment
volume of low quality content, dsa/leetcode, etc. is so high, good people/content gets left out. networking, connections, nepotism so much high. getting job based on actual talent very rare.
MNCs which are good outside are so much sh8t here; well capitalism doesn't give a f8ck anyways.
I will try to give some context.
To give an example, the CSE undergrad from an average Indian college would've done 500 - 1000 leetcode "problems" for practice. But have little to no idea on how to survive in a UNIX shell, or to troubleshoot an actual problem. Hell, half of them haven't written more than 1000 lines of code for single purpose.
People early in their career (which is most SWEs including yours truly) follow whatever "influencers" on youtube (the local term being bhaiyya-didis), who give them rough "roadmaps" to "crack DSA" or "get high paying remote job". The result is that average CS guy spends most of his time navigating this rat race than studying computer science stuff that matters for the job.
I see similar kind of competition getting created at senior levels too, in the terms of people grinding theory and blog posts on "system design" interviews. I am not old^H^H^H senior enough to comment on it, though.
But it was not all bleak. IIRC, We were producing quite few good OSS contributions through GSoC, LFX etc... until few years ago (not considering my own among good ones). There were talented 1% or so (I known a few very talented people in personally). Nowadays these "hustler" variety people have started "How to crack GSoC" roadmaps [sic] too, and the spamming quoted above see may be related to this. This sort of insane rat race is not good for talented people. It's not good for companies either. Recruitment is basically lottery at higher levels too; I have seen people use AI to shamelessly lie on their resumes and get hired etc... Some of these problems may be present in west but India's scale makes some of these problems difficult.
It doesn't until suddenly it does. A glut of junk can eventually trigger a flight to quality.
Sadly, possibly not on a timeline which works for a given individual.
Deleted Comment
Dead Comment
How do you know this?
If I ever need to start using an AI to summarize text that someone else has generated with AI from a short summary, I'm gonna be so fucking done.
If you failed to give them proper reproduction information when asked, then yeah, you were wasting their time and they should rightfully close your issue.
I've never seen anyone on the curl team undeservedly "lambast" someone, and for a project that has a quite good reputation, I think the burden of proof is on you. Can you link to these supposedly terrifying comments?
But at the same time, sometimes you have to really persevere to get a bug fixed.
Consider the perspective of the maintainer of a popular project: to them, you're one person in a big queue of people all reporting problems. Most issues turn out to be "I need free technical support, which you don't offer, so I'll phrase it in the form of a bug", and it saps their time to look into the details of each issue to find whether it's genuine-bug or user-error.
So that's why you should try to give reproduction instructions as best you can, and be up-front if they're incomplete, or you only saw it happen once.
If the maintainer responds harshly, or even if you get commentary from others, remember they are (or should be) criticising the bug report, not you. Try not to take it personally.
And even if they decide to close it, or not investigate further, you've still done the world a favour by adding genuine details about something you saw. The bug report is still searchable when closed. Other people who get the same problem as you are likely to find it, and it might spur them to reproducing the bug where you couldn't, and re-opening or re-reporting the bug and driving it forward to completion.
Dead Comment
(Now, if you used AI to generate the report, well... that's different. Especially if you didn't disclose it up front.)
I’ve basically watched the AI crap cycle go from “this is a weird report, oh it’s fake” to “all the reports are trash, it’s so hard to find real humans in the flood” through his posts.
I suspect I would’ve stepped down long ago. I feel so bad for the open source maintainers who are just being assaulted with nonsense.
The only official community spaces they maintain are:
- their GitHub projects (Issues, Pull Requests, Discussions)
- their mailing lists
- their HackerOne page
If you were harassed on Reddit that is still shitty of course, but it's not gonna be on the project's dev team:
> Some dev teams do not mess around.
Unless some of the devs have verifiable, pseudo-official presence there at least.
Dead Comment
https://daniel.haxx.se/job.html
He does criticise rich companies who don’t do anything to support cURL and demand preferential support, but that’s not the same thing (and does warrant criticism).
These issues with reports and junk contributions come about because there is a huge payoff for pretending to be part of the community, but the benefit from actually contributing is generally less direct.
I dont think you can solve this with "friction", because the people you want to dissuade are more tolerant to these kinds of barriers than the ones you want invite in.
I'm not sure it helped in the end, afaik they did it since like 2003 until some years after the raid, but it still seemed like they didn't get the message and kept trying anyways, which from their perspective makes sense but still.
Should be a highlight of the 2020's decade.
It's not just open projects, it's anything that accepts unvetted information at all. Bug lists full of shit. Forums full of shit. News feeds full of fake shit. Ads full of fake shit. Cultural zeitgeist full of fake shit.
Culture and society has not figured out how to inoculate themselves yet.
He repeatedly complains that at the beginning of some semester, he sees a huge spike of false/unproveable security weakness reports / GutHub issues in the project. He thinks that there is a Chinese university which encourages their students to find and report software vulns as part of their coursework. They don’t seem to verify what they describe is an actual security vuln or that the issue exists in his GitHub repo. He is very diligent and patient and tries to verify the issue is not reproducible, but this costs him valuable time and very scarce attention.
He also struggles because the upstream branch has diverged from what the major Linux distribution systems have forked/pulled. Sometimes the security vulns are the Linux distro package default configurations of his app, not the upstream default configurations.
And also, I’m part of the Kryptos K4 SubReddit. In the past ~6 months, the majority of posts saying “I SOLVED IT!!!1!” Are LLM copypasta (using LLM to try to solve it soup-to-nuts, not to do research, ideate, etc). It got so bad that the SubReddit will ban users on first LLM slop post.
I worry that the fears teachers had of students using AI to submit homework has bled over into all aspects of work.
While crypto style AI hype man can claim Claude is the best thing since sliced bread the output of such systems is brittle and confidently wrong.
We may have to ride out the storm, to continue investing in self learning as big tech cannot truly spend 1.5 trillion on the AI investment in 2025 without a world changing return on revenue, a one billion revenue last year from OpenAI is nothing.
LLMs know (as in have training data) everything about Kryptos. The first three messages, how they were solved including failed attempts, years of Usenet / forum messages and papers about K4, the official clues, it knows about the World Clock in Berlin, including things published in German, it can certainly write Python scripts that would replicate any viable pen-and-paper technique in milliseconds, and so on.
Yet as far as I know (though I don't actively follow K4 work), LLMs haven't produced any ideas or code useful to solving K4, let alone a solution.
My biggest complaint is that the users aren’t skeptical. They don’t even ask the LLM to verify if the answer it just generated matches the known hints from the puzzle artist. Beyond that, they don’t ask it to verify whether the decryption method actually yields the plaintext it confidently spit out.
I’m super impressed with Claude Code, though. For my use case, planning and building iOS app prototypes, it is amazing.
As one does in academia, so to the market, because now we have financial incentive. It ain't going to stop.
But not the motivation. GitHub incentives this type of behaviour, they push you to use their LLMs.
GitHub is under Microsoft’s AI division.
https://www.geekwire.com/2025/github-will-join-microsofts-co...
Finally an explanation to why GitHub suddenly have way more bugs than usual for the last months (year even?), and seemingly whole UX flows that no longer work.
I don't understand how it happens, do developers not at least load the pages their changes presumable affects? Or is the developers doing 100% vibe-coding for production code? Don't get me wrong, I use LLMs for development too, but not so I can sacrifice quality, that wouldn't make much sense.
I understand where it's coming from, and I too think the current situation sucks, but making Microsoft responsible for something like that is bound to create bad times for everyone involved.
Might even be good for Microsoft - they would be the only one knowing who is who.
At my previous employer, I had access to the company’s bug bounty submissions and I can assure you no matter what you try to do, people will submit slop anyway. This is why many companies will pay for “triage services” that do some screening to try to ensure that the exploit actually works.
Unfortunately this means that the first reply to many credible reports are from people who aren’t familiar with the service, meaning that reports often take a long time to be triaged for no reason other than the fact that the reporter assumed that the person reviewing the report would actually understand the product. It’s hard to write good, concise reports if you can’t assume this fact.
Honestly, I don’t know what can be done to fix all of this. It’s a bad situation for everyone involved, and only getting worse.
I guess people would complain if it was tied to Github.